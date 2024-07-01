It’s not a matter of if but when cyberattackers will come calling. Instilling a culture of caution is key to helping small businesses overcome attacks.

Luke Briggs was in the middle of a meeting when a scammer convinced one of his employees to send them $3,000 of his company’s money.

The employee received a text message from someone pretending to be Briggs, the co-founder and CEO of Rogers, Arkansas-based New Nexus Group. Even though the staffer could see his CEO in the conference room, the unusual message didn’t set off any alarm bells. The employee followed what he thought were Briggs’ directions by purchasing a stack of Google gift cards and sending the imposter the information they needed to use them. “He felt horrible,” the real Luke Briggs says. “Now, our policy is: everything is spam until we confirm otherwise.” For New Nexus Group, a small sales and data agency that helps consumer packaged goods (CPG) companies work with big brands like Walmart and Sam’s Club, the scam is becoming familiar. The company receives a handful of these attempts every month as bad actors employ a range of tools–from social engineering to artificial intelligence (AI)-powered attacks–to thwart the company’s security systems.

New Nexus Group is redoubling its efforts to educate employees about cyber risks and instill a culture that focuses on stopping attacks. “We all make mistakes,” Briggs says. “We have to make sure we learn from them.” Strengthening weak links Briggs is by no means alone when it comes to dealing with cyberattacks. In 2023, a reported 41 percent of small businesses experienced at least one cyberattack over the course of the year. Attackers have realized that small businesses often don’t have the same strong security as bigger firms do, though they still have a lot of information that people would find valuable on the dark web. Eli Crow, founder and chief executive officer of Texas-based Education Advanced Inc., knows all about protecting high-value information. The company, which helps school districts track staff and schedule classes, has access to sensitive data about students, which isn’t readily available online.

Despite using third-party cybersecurity and anonymized data, Education Advanced is still a frequent target as attackers go after what’s often a company’s weakest link: the humans who work there. “Every time I hire someone new, and they update their LinkedIn, I can guarantee you that they’re going to get an email from someone claiming to be me,” Crow says. For Education Advanced, cybersecurity starts during the vetting process. If candidates make it to the onboarding stage, they aren’t given their login credentials until they’ve had an in-depth chat with the security team about how to spot scams, what to do if they receive a phishing email and how to protect login credentials. The company also holds regular company-wide meetings to ensure everyone remains vigilant about spotting the latest risks and alerting security the second they notice an issue. “The reputational hit of losing that kind of information would be massive,” Crow says. “It could bankrupt the company.”

More founders paying attention Sandro Bucchianeri, group chief security officer for National Australia Bank (NAB), knows that cybersecurity isn’t always top of mind for founders. NAB is Australia’s largest business bank, so helping to protect small and midsize businesses (SMB) is a top priority. “Understandably, SMBs are focused on making sure their businesses are turning a profit,” he says. But Bucchianeri says more entrepreneurs are interested in learning about cyber issues, especially when it comes to the sessions his team holds for the bank’s small business clients. “We’ve seen a great increase and had positive feedback from people attending our webinars,” he says, “including one customer who spotted an invoice scam because they came to our session–and saved themselves $450,000 from a scammer.” The cybersecurity expert tells his founder clients to be aware of common business threats, such as invoice scams, ransomware, phishing, and scams that could compromise business email. “The important part is to know your enemy,” he notes.